What Is "Baseline Binding" and Why It Prevents AI Session Hijacking
When your AI agent's requests suddenly come from a different country, that's a red flag. Stow's Baseline Binding locks every agent to its first-trust network fingerprint — and blocks anything that deviates.
Every AI agent credential is a target. An agent ID and secret embedded in a config file, copied to a second machine, or exfiltrated from a compromised system gives the attacker full tool access under your identity. Baseline Binding is the mechanism that makes stolen credentials useless without the original network context.
Here's how it works, what it captures, and when you need to reset it.
The Problem: Credentials Don't Know Where They Are
A standard API key or secret has no awareness of where it's being used. Copy a Cursor agent secret from your home office to a cloud VM and every request looks identical to the API — authenticated, valid, authorized. There's no mechanism to notice the geographic jump.
This is a real attack vector for AI agents. Unlike a human login — where suspicious logins from new locations can trigger MFA — agent credentials are typically long-lived secrets used programmatically. If they're leaked, there's no second factor to stop the attacker from using them immediately.
What Baseline Binding Captures
When an agent connects to Stow for the first time, the Risk Engine records its network fingerprint — a set of signals that establish "normal" for this agent:
IP Address
Your external IP address at the time of first connection. Subsequent requests from materially different IPs trigger elevated risk scoring.
ASN / ISP
Your internet service provider's Autonomous System Number. Switching from your home ISP to a data center or foreign network is a strong signal.
Geographic Region
Country and region derived from the network signal. A request originating in a different country is immediately flagged.
This fingerprint becomes the Security Baseline for that agent. Every subsequent request is evaluated against it.
What Happens When the Baseline Deviates
Baseline deviation doesn't automatically block a request — it feeds the Risk Engine, which generates a risk score and determines the response. The more severe the deviation, the higher the score:
Signal Promotion: When Anomalies Become Incidents
A single anomalous signal raises the risk score. Multiple anomalous signals — a new ISP combined with a new country combined with an unusual request pattern — can trigger Signal Promotion, escalating the event to an active incident. At that threshold, requests are blocked regardless of policy and you're notified immediately.
This matters because sophisticated attackers don't just steal credentials — they also try to blend in. Signal Promotion makes the blending harder by treating the combination of signals as more meaningful than any single one.
When You'll Legitimately Need to Reset
Moved to a new office or home network
Your IP and potentially your ISP has changed — the baseline is stale.
Started using a VPN for work
VPN exit nodes often appear as data center ranges, triggering elevated scores.
Traveling internationally
Country-level deviation triggers an immediate block. Rotate before you travel.
Changed internet service provider
ASN change is a strong signal. Reset the baseline when you switch ISPs.
How to Reset the Security Baseline
Resetting is done through secret rotation in the Stow dashboard. When you generate a new client secret, the baseline is cleared. The next request from the agent establishes a new baseline from whatever network it connects from.
- Navigate to AI Agents in the Stow dashboard
- Click your agent and go to Agent Configuration
- Click New Client Secret — copy and save the new secret
- Update your agent config (e.g., the MCP JSON file in Cursor) with the new secret
- The next connection from the new network becomes the new Security Baseline
Important: The old secret becomes invalid immediately when you rotate. Make sure you update your agent configuration before rotating — otherwise your agent will be blocked until you do.
What Gets Logged
Baseline Binding Is Defense-in-Depth
Baseline Binding isn't a replacement for strong secrets — it's a second layer that activates if your secrets are ever compromised. An attacker with a valid secret who connects from an unexpected location still gets blocked. That's the point.
The combination of permissioned access (Policy Engine) + anomaly detection (Risk Engine) + network binding (Baseline) gives Stow a layered security posture that credential theft alone can't defeat.
Stow Security Team
April 19, 2026